Disposal of Protected Health Information (PHI) is a critical component of compliance under HIPAA. HIPAA’s Privacy and Security Rules require covered entities and their business associates to protect individuals’ health information throughout its lifecycle—including the point when information is no longer needed and must be disposed of securely.
This started with the idea of shredding paper records, and moves to the concept of deleting health care records after a period of time as permitted by law. In addition, disposing of computers and smart phones will have additional rules under state licensure laws as applicable to health care practitioners.
The Privacy Rule mandates that covered entities implement reasonable administrative, technical, and physical safeguards to protect PHI, and this extends to disposal practices. The Security Rule further requires documented policies and procedures addressing the final disposition of electronic PHI (ePHI) and media on which it is stored, ensuring that information cannot be accessed or reconstructed once it is discarded.
Importantly, HIPAA does not prescribe one specific disposal method. Instead, it emphasizes a risk-based approach: covered entities must assess the types of PHI they handle and adopt disposal practices that render information “unreadable, indecipherable, and otherwise cannot be reconstructed.” Examples of acceptable practices include shredding, burning, pulping, or pulverizing paper records; securely clearing, purging, or destroying electronic media; and using locked receptacles or secure collection vendors for PHI pickup.
A clear prohibition exists on simply discarding PHI in trash receptacles that are publicly or otherwise unauthorized accessible, such as unsecured dumpsters, recycling bins, or ordinary waste containers. If PHI is deposited in such locations without being irreversibly destroyed first, it can lead to unauthorized access and constitutes a failure to safeguard PHI under HIPAA.
The rules also require workforce training: all personnel involved in disposal—whether on-site or off-site—must be trained on and follow the entity’s PHI disposal policies. If employees use PHI off the entity’s premises, the organization must decide whether those workers return it for secure disposal or follow approved methods themselves (e.g., shredding). Appropriate sanctions must be applied if workforce members fail to comply.
Beyond these federal requirements, state licensure laws can impose additional disposal or record retention obligations that go beyond HIPAA, especially in regulated medical professions or telehealth contexts. These laws might dictate how long certain records must be preserved, how they must be destroyed, or specific notices to patients when a practice closes—elements that health care professionals must navigate carefully alongside HIPAA’s flexible yet strict minimum standards.
Overall, effective disposal policies protect patient privacy, limit the risk of data breaches, and reduce legal liability. Covered entities should leverage HIPAA compliance frameworks while also understanding and integrating state licensure requirements to ensure holistic and defensible disposal practices.
Areas Covered in the Session
- HIPAA guidelines when disposing of PHI
- Reasonable safeguards and protections disposal practices
- Examples of acceptable and unacceptable disposal methods
- Uses of Business Associates and Third Parties for disposal
- Compliance and enforcement
- State licensure laws and How They Apply in Addition to HIPAA
- Special scenarios and Tips and Techniques
- The Horror Story of the Broken Laptop
- Did you Know the Office Photocopier Has a Photographic Memory?
Who will Benefit?
Attendance would greatly benefit those who dispose of PHI in their line of healthcare work.
Why should you Attend?
Attend to learn the proper and improper methods of disposing of PHI and the consequences that one can face if guidelines are not met.
